You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jeff Eggen <je...@sgi.sk.ca> on 2008/02/26 15:17:38 UTC
[users@httpd] AuthzLDAPAuthoritative and "no authoritative handler"
problems
Hi folks,
I'm having a problem with my first attempts to migrate a 2.0 server to 2.2, specifically with the LDAP configuration I'm using. I have a somewhat convoluted directory structure, with different permissions for different directories. My problem can be summed up with the configuration in httpd-vhosts.conf (see below); my actual configuration has additional Directory sections, some of which have multiple "require ldap-users" and "require ldap-groups", but the two I've copied here are able to recreate the problem.
<AuthnProviderAlias ldap ldap-site>
AuthLDAPURL ldap://*****/o=root?uid??(objectClass=inetOrgPerson)
AuthLDAPDereferenceAliases never
</AuthnProviderAlias>
<VirtualHost *:80>
ServerName docsite.sgi.sk.ca
DocumentRoot "/my/directory/htdocs"
<Directory "/my/directory/htdocs">
Options Indexes FollowSymLinks Includes
AllowOverride None
AuthBasicProvider ldap-site
AuthName "Login Now Please"
AuthType Basic
AuthzLDAPAuthoritative off
require valid-user
Order allow,deny
Allow from 10.0.0.8 10.0.1.9
Satisfy any
</Directory>
<Directory "/my/directory/htdocs/Infrastructure/private">
AuthBasicProvider ldap-site
AuthName "Login Now Please"
AuthType Basic
AuthzLDAPAuthoritative on
require ldap-group cn=mygroup,ou=container,ou=container,o=root
Order allow,deny
Allow from 10.0.0.8 10.0.1.9
Satisfy any
</Directory>
</VirtualHost>
The problem is that using this configuration I can sign in to the root of the site no problem, but when I try getting in to the private directory that is more restrictive apache throws errors like "access to /Infrastructure/private/index.html failed, reason: require directives present and no Authoritative handler." My understanding of the AuthzLDAPAuthoritative directive from the documentation is that if I'm using "require valid-user" I need to set it to off, but if I'm using "require ldap-user" or "require ldap-group" I need to set it to on; I'm doing so but it doesn't seem to be working as I expected it to. I can't find any mention on the net of anyone else experiencing this problem after they get the AuthzLDAPAuthoritative thing under control, so I'm assuming I'm missing something simple but I can't see what it is.
Any help would be appreciated!
Thanks,
Jeff Eggen
IT Analyst
Saskatchewan Government Insurance
Ph (306) 751-1795
email jeggen@sgi.sk.ca
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee, please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that using, disclosing, copying or distributing the contents of this information is strictly prohibited.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AuthzLDAPAuthoritative and "no authoritative
handler" problems
Posted by Jeff Eggen <je...@sgi.sk.ca>.
>>> "Eric Covener" <co...@gmail.com> 2/26/2008 8:59 AM >>>
>When you define AuthLDAPURL in an AuthnProviderAlias, you also need
>to explicitly define the AuthLDAPUrl in any context where you use LDAP
>authorization (emphasis on authn vs authz)
>mod_authnz_ldap probably bailed out of authorization pretty quicklty
>when it didn't see an AuthLDAPUrl defined.
That's what I get for trying mod_authn_alias.
As per your suggestion, I removed <AuthnProviderAlias> section and added the AuthLDAPURL section back to my individual directory sections, and it works like a charm.
Thanks very much!
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee, please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that using, disclosing, copying or distributing the contents of this information is strictly prohibited.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AuthzLDAPAuthoritative and "no authoritative handler" problems
Posted by Eric Covener <co...@gmail.com>.
On Tue, Feb 26, 2008 at 9:17 AM, Jeff Eggen <je...@sgi.sk.ca> wrote:
> <AuthnProviderAlias ldap ldap-site>
> AuthLDAPURL ldap://*****/o=root?uid??(objectClass=inetOrgPerson)
> AuthLDAPDereferenceAliases never
> </AuthnProviderAlias>
>
> <Directory "/my/directory/htdocs/Infrastructure/private">
> AuthBasicProvider ldap-site
> require ldap-group cn=mygroup,ou=container,ou=container,o=root
I believe Brad Nicholes fielded a bug report or users@ on this matter
within the last dozen weeks or so.
When you define AuthLDAPURL in an AuthnProviderAlias, you also need
to explicitly define the AuthLDAPUrl in any context where you use LDAP
authorization (emphasis on authn vs authz)
mod_authnz_ldap probably bailed out of authorization pretty quicklty
when it didn't see an AuthLDAPUrl defined.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org